import "elf"

rule setsockopt {
  meta:
    author = "Tim Brown @timb_machine"
    description = "Hunts for setsockopt() red flags"
  strings:
    $pcap = "pcap"
    $setsockopt = "setsockopt"
  condition:
    ($pcap or $setsockopt) and (elf.number_of_sections >= 1)
}
